Audit Highlights . . .
Our audit of the use of automated license plate readers (ALPR) at four local law enforcement agencies highlighted the following:
- » Local law enforcement agencies did not always follow practices that adequately consider the individual’s privacy in handling and retaining the ALPR images and associated data.
- » All four agencies have accumulated a large number of images in their ALPR systems, yet most of the images do not relate to their criminal investigations—99.9 percent of the 320 million images Los Angeles stores are for vehicles that were not on a hot list when the image was made.
- Three agencies did not completely or clearly specify who has system access, who has system oversight, or how to destroy ALPR data, and the remaining agency has not developed a policy at all.
- Two of the agencies add and store names, addresses, dates of birth, and criminal charges to their systems—some of these data may be categorized as criminal justice information and may originate from a system maintained and protected by the Department of Justice.
- Three agencies use a cloud storage vendor to hold their many images and associated data, yet the agencies lack contract guarantees that the cloud vendor will appropriately protect the data.
- Three agencies share their images with hundreds of entities across the U.S. but could not provide evidence that they had determined whether those entities have a right or a need to access the images.
- » Agencies may be retaining the images longer than necessary and thus increasing the risk to individuals’ privacy.
- » The agencies have few safeguards for creating ALPR user accounts and have not audited the use of their systems.
Results in Brief
To better protect the privacy of residents, local law enforcement agencies must improve their policies, procedures, and monitoring for the use and retention of license plate images and corresponding data. The majority of California law enforcement agencies (agencies) collect and use images captured by automated license plate reader (ALPR) cameras. The ALPR system is both a real‑time tool for these agencies and an archive of historical images. Fixed cameras mounted to stationary objects, such as light poles, and mobile cameras mounted to law enforcement vehicles, capture ALPR images. Software extracts the license plate number from the image and stores it, with the date, time, and location of the scan and sometimes a partial image of the vehicle, in a searchable database. The software also automatically compares the plate number to stored lists of vehicles of interest, called hot lists then issues alerts, called hits if the plate number matches an entry on the hot list. Agencies compile these hot lists based on vehicles sought in crime investigations and vehicles connected to people of interest—for example, a list of stolen vehicles or of missing persons. We use the term ALPR data to describe all the information stored in an ALPR system, including license plate images and hot lists.
Because an ALPR system stores the plate number and image in a database even if the plate number does not match one on a hot list, the American Civil Liberties Union (ACLU) raised concerns in a 2013 report about law enforcement collecting and storing ALPR images related to individuals not suspected of crimes. The ACLU noted that law enforcement officers could inappropriately monitor the movements of individuals such as ex‑spouses, neighbors, and other associates—actions that do not respect individuals’ privacy. Although ALPR supporters contend that the images are collected in public places where there is no reasonable expectation of privacy, state law has made privacy a consideration when operating or using an ALPR system. Nonetheless, we found that the handling and retention of ALPR images and associated data did not always follow practices that adequately consider an individual’s privacy.
Although law enforcement agencies collect ALPR images in public view, and there is no reasonable expectation of privacy regarding a license plate, the use and retention of those images raises privacy concerns. The four local law enforcement agencies we reviewed—Fresno Police Department (Fresno), Los Angeles Police Department (Los Angeles), Marin County Sheriff’s Office (Marin), and Sacramento County Sheriff’s Office (Sacramento)—have accumulated a large number of images in their ALPR systems, yet most of these images are unrelated to their criminal investigations. For example, at Los Angeles only 400,000 of the 320 million images it has accumulated over several years and stores in its database generated an immediate match against its hot lists. In other words, 99.9 percent of the ALPR images Los Angeles stores are for vehicles that were not on a hot list at the time the image was made. Nevertheless, the stored images provide value beyond immediate hit alerts, as law enforcement personnel can search the accumulated images to determine the vehicles present at particular locations and to track vehicles’ movements at particular times in order to gather or resolve leads in investigations.
Technology gives governments the ability to accumulate volumes of information about people, raising a reasonable question: How is an individual’s privacy to be preserved? Effective in 2016 the California Legislature addressed privacy with respect to ALPR systems through Senate Bill 34 (Statutes of 2015, Chapter 532) (SB 34) by establishing requirements for these systems, including requiring detailed usage and privacy policies that describe the system’s purpose, who may use it, how the agency will share data, how the agency will protect and monitor the system, and how long the agency will keep the data. Yet the agencies we reviewed have not implemented all of the requirements in that law.
ALPR systems may contain data beyond license plate images. For example, we found that Sacramento and Los Angeles are adding names, addresses, dates of birth, and criminal charges to their ALPR systems, which are then stored in those systems. Some of these data may be categorized as criminal justice information; in addition, the data may originate from the California Law Enforcement Telecommunications System (CLETS), which the California Department of Justice (Justice) maintains. These various types of data require different levels of protection under the law. State law requires these agencies to maintain reasonable security procedures and practices to protect ALPR data from unauthorized access, destruction, use, modification, or disclosure. In addition, we believe that policy from the Criminal Justice Information Services Division (CJIS) of the U.S. Federal Bureau of Investigation (FBI) models reasonable security measures for law enforcement agencies’ ALPR data. CJIS policy specifies operational, administrative, technical, and physical safeguards for each of the areas specified in state law.
Fresno, Marin, and Sacramento use a cloud storage solution to hold their many ALPR images and associated data. Although the three agencies told us their systems comply with CJIS policy, none of them could demonstrate the vetting they performed to confirm that their cloud storage vendor did, in fact, meet the CJIS policy standards. Moreover, none of the contracts these three agencies have with their cloud storage vendors include all necessary data security safeguards. Thus, the agencies lack guarantees that the cloud vendor will provide appropriate protection of their data.
Law enforcement agencies of all types may benefit from guidance to improve their policies and data security practices. We surveyed 391 police and sheriff departments statewide, and of those using an ALPR system, 96 percent stated that they have ALPR policies, and nearly all reported that their ALPR data storage solution complies with CJIS policy. However, it is likely that many of the survey respondents have the same problems we identified at the four agencies we visited. Justice has experience guiding law enforcement agencies to help them adhere to state law and to improve their administrative practices. By developing guidance for local agencies on needed ALPR policy elements, Justice could help them improve the quality and completeness of their policies.
State law allows law enforcement agencies to share ALPR images only with public agencies, and it requires such sharing to be consistent with respect for individuals’ privacy. Three of the reviewed agencies share their ALPR images widely using features in the ALPR systems that enable convenient sharing of images with minimal effort. Fresno and Marin have each arranged to share their ALPR images with hundreds of entities and Sacramento with over a thousand entities across the United States. However, we did not find evidence that the agencies had always determined whether an entity receiving shared images had a right and a need to access the images or even that the entity was a public agency. We are concerned that unless an agency conducts verifying research, it will not know who is actually using the ALPR images and for what purpose.
In addition, the agencies have not based their decisions regarding how long to retain their ALPR images on the documented usefulness of those images to investigators, and they may be retaining the images longer than necessary, increasing the risk to individuals’ privacy. Fresno’s policy is to retain ALPR images for one year; Sacramento’s and Marin’s policies specify two years. Los Angeles does not have an ALPR policy, and the lieutenant who administers the ALPR program stated that its protocol is to retain the images for at least five years. However, when we reviewed the agencies’ ALPR searches over a six‑month period in 2019, we found that personnel for three of the four agencies typically searched for images zero to six months old. Nonetheless, the agencies keep the images far longer.
The agencies we reviewed have few safeguards for the creation of ALPR user accounts and have also failed to audit the use of their ALPR systems. Instead of ensuring that only authorized users access ALPR data for appropriate purposes, the agencies have left their systems open to abuse by neglecting to institute sufficient oversight. Over the years, the media has reported that some individuals within law enforcement used or could use data systems—and sometimes ALPR systems—to obtain information about individuals for their personal use, including to locate places they regularly visit, to determine their acquaintances, and to blackmail them based on this information. ALPR systems should be accessible only to employees who need the data, and accounts should be promptly disabled otherwise. However, the agencies often neglected to limit ALPR system access and have allowed accounts that should be disabled to remain active longer than is prudent. To further ensure that individuals with access do not misuse the ALPR systems, the agencies should be auditing the license plate searches that users perform, along with conducting other monitoring activities. Instead, the agencies have conducted little to no auditing and monitoring and thus have no assurance that misuse has not occurred.
To better protect individuals' privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to do the following:
- Require Justice to draft and make available on its website a policy template that local law enforcement agencies can use as a model for their ALPR policies.
- Require Justice to develop and issue guidance to help local law enforcement agencies identify and evaluate the types of data they are currently storing in their ALPR systems. The guidance should include the necessary security requirements agencies should follow to protect the data in their ALPR systems.
- Establish a maximum data retention period for ALPR images.
- Specify how frequently ALPR system use must be audited and that the audits must include assessing user searches.
Law Enforcement Agencies
To address the shortcomings this audit identified, Fresno, Los Angeles, Marin, and Sacramento should do the following:
- Improve their ALPR policies.
- Implement needed ALPR data security.
- Update vendor contracts with necessary data safeguards.
- Ensure that sharing of ALPR images is done appropriately.
- Evaluate and reestablish data retention periods.
- Develop and implement procedures for granting and managing user accounts.
- Develop and implement ALPR system oversight.
The four law enforcement agencies we reviewed responded to the draft audit report. Fresno responded that it will use the audit to work to achieve its goal of building trust in its community. Los Angeles responded that it respects individuals’ privacy and believes it has policies in place to safeguard information. Nonetheless, it is working on an ALPR policy as required by state law and will perform periodic audits of users’ searches. Marin stated it is committed to improvement and will consider the recommendations we made, although it disagreed with several of them. Sacramento stated that it had already begun implementing many of the recommendations, but that it did not agree with how we characterized some of the findings. Justice and the Sacramento County Department of Human Assistance also responded by acknowledging the draft report, although we did not have recommendations directed to either entity.